Update: eventually we installed nginx as a SSL/TLS proxy between OSB and the outdated backends. We could control all properties of the TLS connection from nginx downstream, including what SSL/TLS protocol to use, what certificate to present, and what ciphers are available. Removing the direct dependency this way, we were able to upgrade OSB and backend systems separately, each on its own schedule.

Update 2: Here’s an example of a nginx configuration entry we use to arbitrage the TLS properties for one connection. Not all lines here are important. Main thing is that ESB connects to port 18401, and then nginx re-opens the connection to target backend server with SSLv3. Bingo!